Empirical and Behavioral Security:
Improving Client-Side Web Security. Lightweight Analyses of Server-Side Applications. Vulnerability Notifications.
From humble beginnings of merely sharing information, the Web has rapidly become the most important and highly interactive driver of modern life, society, and economy as it enables amongst others information retrieval, social exchange, and online shopping. With this massive increase in importance, vulnerabilities in Web applications have become enormous threats to users and their sensitive data. Within the area of Web security, we aim to understand new threats, develop mechanisms to detect and mitigate them, as well as investigate means of automatically securing applications.
CURRENT RESEARCH LINES
Improving Client-Side Web Security To allow for a seemless usage of Web applications, recent years have shown a shift from purely server-side code to rich, client-side applications. This shift also increases the complexity of client-side code and hence the attack surface. We therefore develop novel methods to automatically find known classes of flaws in the client-side code, leveraging the unique situation that a client-side application can be tested in a whitebox fashion. In addition, we investigate novel classes of attacks, and propose countermeasures.
Lightweight Analyses of Server-Side Applications Albeit the client is gaining in importance, a significant fraction of the application still resides on the server. We hence study techniques to discover server-side flaws, such as Cross-Site Request Forgery, Cross-Site Scripting, or SQL injections. Our key focus is on lightweight approaches, which can be used to analyze applications with very large code bases.
Efficient and Effective Vulnerability Notifications Although detection of many types of web-based flaws has been in the focus of researchers over the previous years, the perhaps most important aspect -- that of notifying affected parties -- has received barely any attention. We aim to close this gap by investigating how we can effectively and at scale inform affected parties and pursuade them to apply fixes and secure their web applications and infrastructure. This involves the investigation of technical measures (such as communication channels), but importantly also aims at understanding how to best present technical details such that even laymen users can understand and remediate the flaws.